sql component handle placeholder

solaoi · May 9, 2022 · 75ec66f · 75ec66f
1 parent 200e09a
commit 75ec66f
Show file tree

Hide file tree

Showing 4 changed files with 81 additions and 3 deletions.
diff --git a/command/cmd/api.go b/command/cmd/api.go
@@ -117,6 +117,21 @@ func isJSONorHTMLNode(name string) bool {
 	return isJSONNode(name) || name == "Template"
 }
 
+func isSQLInjectionParams(value string) bool {
+	regs := [...] *regexp.Regexp {
+		regexp.MustCompile(`(%27)|(')|(--)|(%23)|(#)`),
+		regexp.MustCompile(`((%3D)|(=))[^\n]*((%27)|(')|(--)|(%3B)|(;))`),
+		regexp.MustCompile(`w*((%27)|('))((%6F)|o|(%4F))((%72)|r|(%52))`),
+		regexp.MustCompile(`((%27)|('))union`),
+	}
+	val := strings.ToLower(value)
+	for _, reg := range regs {
+			isSQLInjection := reg.MatchString(val)
+			if isSQLInjection {return true}
+	}
+	return false
+}
+
 func endpointHandler(c echo.Context) error {
 	return c.Blob(http.StatusOK, staticEndpoints[c.Path()].ContentType, []byte(staticEndpoints[c.Path()].Content))
 }
@@ -303,13 +318,42 @@ func contentBuilder(contents map[int]map[string]map[string]interface{}) func(req
 						tmp := map[string]string{}
 						err := json.Unmarshal([]byte(pathParams), &tmp)
 						if err != nil {
-							log.Fatal(err)
+							return body{http.StatusBadRequest, "", []apiResponse{}}
 						}
 						for k, v := range tmp {
 							unformattedURL = strings.ReplaceAll(unformattedURL, ":"+k, v)
 						}
 					}
 					c[i][k]["content"] = unformattedURL
+				} else if v["name"] == "SqlWithPlaceHolder" {
+					unformattedSQL := v["content"].(string)
+					placeHolderParams := ""
+					for _, v1 := range c[i+1] {
+						if v1["parent"] == k {
+							placeHolderParams = v1["content"].(string)
+						}
+					}
+					if placeHolderParams != "" {
+						tmp := map[string]string{}
+						err := json.Unmarshal([]byte(placeHolderParams), &tmp)
+						dbType := "Common"
+						if err != nil {
+							if reqDBCounter != nil {
+								reqDBCounter.WithLabelValues(dbType, err.Error()).Inc()
+							}
+							return body{http.StatusBadRequest, "", []apiResponse{}}
+						}
+						for k, v := range tmp {
+							if (isSQLInjectionParams(v)){
+								if reqDBCounter != nil {
+									reqDBCounter.WithLabelValues(dbType, "Reject SQL Injection: " + v).Inc()
+								}
+								return body{http.StatusBadRequest, "", []apiResponse{}}
+							}
+							unformattedSQL = strings.ReplaceAll(unformattedSQL, "${"+k+"}", v)
+						}
+					}
+					c[i][k]["content"] = unformattedSQL
 				} else if v["name"] == "Request" {
 					content := v["content"].(map[string]interface{})
 					requestType := fmt.Sprintf("%v", content["type"])
@@ -368,7 +412,7 @@ func contentBuilder(contents map[int]map[string]map[string]interface{}) func(req
 					dummyJSON := ""
 					for _, v1 := range c[i+1] {
 						if v1["parent"] == k {
-							if v1["name"] == "SQL" {
+							if v1["name"] == "SQL" || v1["name"] == "SqlWithPlaceHolder" {
 								query = v1["content"].(string)
 							} else if v1["name"] == "DummyJSON" {
 								dummyJSON = v1["content"].(string)

diff --git a/ui/src/rete.jsx b/ui/src/rete.jsx
@@ -17,6 +17,7 @@ import { UrlComponent } from "./rete/components/input/UrlComponent";
 import { UrlWithPathParamComponent } from "./rete/components/input/UrlWithPathParamComponent";
 import { HtmlComponent } from "./rete/components/input/HtmlComponent";
 import { SqlComponent } from "./rete/components/input/SqlComponent";
+import { SqlWithPlaceHolderComponent } from "./rete/components/input/SqlWithPlaceHolderComponent";
 import { TemplateComponent } from "./rete/components/template/TemplateComponent";
 import { HandlebarsComponent } from "./rete/components/template/HandlebarsComponent";
 import { PugComponent } from "./rete/components/template/PugComponent";
@@ -77,6 +78,7 @@ export async function createEditor(container) {
     new HandlebarsComponent(handlebarsSocket),
     new PugComponent(pugSocket),
     new SqlComponent(sqlSocket),
+    new SqlWithPlaceHolderComponent(sqlSocket, jsonSocket),
     new ApiComponent(jsonSocket, dummyJsonSocket, urlSocket),
     new MySQLComponent(jsonSocket, dummyJsonSocket, sqlSocket),
     new PostgreSQLComponent(jsonSocket, dummyJsonSocket, sqlSocket),

diff --git a/ui/src/rete/components/input/SqlWithPlaceHolderComponent.js b/ui/src/rete/components/input/SqlWithPlaceHolderComponent.js
@@ -0,0 +1,31 @@
+import Rete from "rete";
+import { SqlControl } from "../../controls/SqlControl";
+
+export class SqlWithPlaceHolderComponent extends Rete.Component {
+  path = ["New"];
+
+  constructor(socket, jsonSocket) {
+    super("SqlWithPlaceHolder");
+    this.socket = socket;
+    this.jsonSocket = jsonSocket;
+  }
+
+  builder(node) {
+    const input = new Rete.Input(
+      "placeHolderParams",
+      "placeHolderParams (JSON)",
+      this.jsonSocket
+    );
+    const out = new Rete.Output("sql", "SQL", this.socket);
+
+    return node
+      .addInput(input)
+      .addControl(new SqlControl(this.editor, "sql", node))
+      .addOutput(out);
+  }
+
+  worker(node, _, outputs) {
+    outputs.sql = node.data.sql;
+    outputs.placeHolderParams = node.data.placeHolderParams;
+  }
+}
diff --git a/ui/src/rete/controls/EditableSqlComponent.jsx b/ui/src/rete/controls/EditableSqlComponent.jsx
@@ -22,7 +22,8 @@ export const EditableSqlComponent = ({ value, onChange }) => {
       value={code}
       onValueChange={(c) => {
         try {
-          parser.parse(c);
+          const replacedForPlaceHolder = c.replaceAll(/\$\{.*?\}/g, "dummy");
+          parser.parse(replacedForPlaceHolder);
           setWarn(false);
           setStack(null);
         } catch (e) {